The odds are that you were first exposed to some form of advanced authentication as an employee when you were given a key-chain token to connect to the company VPN or webmail, or as a customer when you received a code in a short text asking you to confirm a transaction. Although these look like completely different technologies, they have exactly the same single purpose: ensuring with the least possible error that a returning user of a service is the initially enrolled user. If they share the same goal, then why are Enterprise and consumer multi-factor authentication (MFA) so different? Is this going to remain so?
Consumer and Enterprise MFA: Different starting points
MFA appeared roughly at the same time as remote connections to corporate networks. Paradoxically, although cybercriminals hardly existed, it was inconceivable for large organizations to give access to their IT without some strong form of security, ‘strong’ meaning ‘hardware-based’. Enterprise MFA (at that time a tautology) therefore established itself as a sophisticated but quite expensive technology that equipped a fraction of the staff of large organizations.
In contrast, when the World Wide Web became a mainstream phenomenon and it became possible to pay or to move money online, identity fraud skyrocketed. However, online business was growing even faster, making identity security concerns an important discussion topic – but not yet a market. In 2007, when I started to brainstorm an authentication startup project that later on became inWebo, consumer MFA wasn’t even a concept. Authentication was based on passwords and free.
Explaining different trajectories
As the Enterprise MFA market expanded and started to attract more suppliers, differentiation built itself on price. Clones of RSA sprouted. The arrival of feature phones and early smartphones soon disrupted that market, making sound MFA possible without hardware. As a result, solutions improved both in terms of price and convenience (real security was downgraded at the same time, this is the subject of other posts).
Given the opposite starting points of Enterprise and consumer authentication solutions – the latter being free and hardly secure -, consumer MFA initially focused on increasing security but also on keeping costs as low as possible, actually far lower than what Enterprise MFA suppliers were charging. Therefore Enterprise-like solutions weren’t deployed on the new consumer MFA market – with some exceptions here and there. A few inexpensive options, such as printed code cards (TAN) or hidden paths never found adoption since neither brought enough security for the extra costs and friction they introduced. So the first real take-off of consumer authentication was brought with mobile phone generalization that allowed service providers to send one-time codes in short text messages.
Why consumer and Enterprise MFA may be converging
A lot of MFA-enabling technologies – such as smartphones, applications stores, html5, push notification frameworks, IaaS and PaaS platforms, but also biometric sensors on smartphones – are now widely available. Like any other software, MFA can therefore now be provided “at no cost” (beyond R&D, QA, operations, marketing & sales, corporate…), since MFA providers no longer need to manufacture and ship hardware devices, or to buy short texts in bulk from carriers and brokers. This allows for more flexible pricing, which now meets most service providers’ very low willingness to pay.
Furthermore, most of IT is now consumerized: employees are consumers to start with, they use web and mobile applications for both professional and personal reasons, most of the time from the same devices. Authentication should be no exception, there’s no obvious reason not to consumerize it too.
So it looks like MFA solutions have reached an “operating point” – consisting of pricing, security level, and friction level – meeting the expectations of both MFA markets, Enterprise and consumer-facing. Are therefore both markets merging?
And why they won’t
Branding requirements and corporate culture – yes, culture – are likely to keep the two markets separate for some time still.
It’s totally common and fine to show IT providers to employees, because IT is just a tool for most organizations, not a goal. The IT department’s objectives are no longer (if they ever were?) to develop in-house applications, but to select, integrate, and support the best tools for the business. Let’s say it: it’s now more cool to use well-designed vendor-developed Apps than the usually clunky corporate ones. MFA is no exception here.
In contrast, online providers build their products. Having a customer use a third-party provider to authenticate is not only a culture and branding clash, it’s also – whether or not there are good reasons – considered to trigger trust concerns.
Also, regulations faced by service providers in some verticals – in particular those likely to be most needing MFA, such as banking, payment, healthcare – makes it difficult for Enterprise MFA suppliers to enter consumer MFA market segments, in particular with managed solutions running in the Cloud.
A common platform to reconcile them
Recognizing the convergence of the “operating points” but also the reasons why Enterprise MFA solutions still didn’t fit service providers, inWebo developed both an MFA solution and an MFA platform.
A platform has no UI (user interface), it has APIs and SDKs (things developers like). Organizations not wanting to develop around an MFA platform use a ready-built MFA solution based on the platform, while service providers (and system integrators) use MFA platforms to build customized and branded MFA solutions, without having to reinvent the wheel. The wheel means in this case, among other things, (1) to dive into cryptography; (2) to integrate all new mobile platforms, OS, and web browsers; (3) to leverage smartphones and other devices’ capabilities as they appear, such as biometric sensors; (4) to design a secure lifecycle authentication credentials; and (5) to support multi-device and multi-service enrollment and recovery. An MFA platform is a fairly heavy and complex wheel.
The MFA platform approach – pioneered by inWebo in 2011 – is therefore removing the distinctions between consumer and Enterprise MFA and blurring the frontiers between both markets.